- Newest
- Most votes
- Most comments
Hi, there's a probably a couple ways to achieve this, but here's a common pattern. With Control Tower, it sets up the centralized log bucket, but also configures a Cloudwatch Log Group in each account for local Cloudtrail logs. You can create Metric Filters on that Log Group for specific actions. For instance IAM policy changes or failed logins. Documentation here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html and https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html.
That log filter can send the alerts to the Control Tower created SNS topic aws-controltower-SecurityNotifications. This topic forwards the alerts via a Lambda function to a topic in the Audit account. Which then can have subscriptions to email, PagerDuty, etc. Bear in mind that central SNS topic may get a little noisy so it may be a case of creating new topics. You could also subscribe to the SNS topics in each account differently. That would provide some flexibility on who/what gets alerts from specific accounts.
On the deployment side, if you are using cloudformation, and create a template for the metric filters, then the Customizations for Control Tower solution https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/ or Organizations StackSets https://aws.amazon.com/blogs/aws/new-use-aws-cloudformation-stacksets-for-multiple-accounts-in-an-aws-organization/ can help you deploy the same template to many accounts quickly and easily. Managing the deployment and updates from a central location.
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
Hi Jimmy, thanks for the suggestions. I was considering to connect it to Cloudwatch Log Group created it each member account for Cloudtrail, however I am more interested in distinct events over metric alerts at the moment, so I would have to use subscription filter instead of metric filter on log group. But the subscription filter does not support SNS topic or Event Bus in same or different account.
That is why I chosen default Event bus filter on Cloudtrail events in member account and forward to Custom Event Bus which is in Audit Notifications account. Similar template https://gist.github.com/Halama/e5db7ab0cc7b2762ff7f9a28fa1eac84#file-cloudtrail-would be deployed into each member account using Organizations StackSets as you suggested (CT customizations are promising but at the moment seems to much complex).